If you guys don't mind, I was wondering if people could share there advice and their experience on patch management. How often they patch their systems, every day, week, quarter, etc? What tools they use and their experiences with those tools? Whether they concentrate on critical patches instead installing all patches?

normally we suggest them to test the patches first before applying them. It would be good if they are tested in a test server (if they have spare servers).

In addition, critical patches should be checked with the vendor first (assuming you have some applications running above the O/S, therefore, it's good to ask them before applying, otherwise, you may have problems like blue screen or some services not running etc. (Bear in mind, all IT Dept will not do the patch because they'll say, if it's not broken, why fix it, (meaning, they're scared if things goes down, so give them OT to work on the recovery.....), however, the should get the approval or rationale for patching/not patching the updates etc.

Also document the patches before/after, so you got a trail on that. and of course all patches should be approved by the management.

A certain company I may or may not be familiar with, has used various patch management tools, from rolling our own, Bladelogic, Patchlink, and SMS for OS and common applications Before any system is deployed, there is a risk assessment done on it, part of which involves a miniumum level of patching.

We patch the week following M$ Patch Tuesday. I believe other applications are caught in our defense in depth strategy of vulnerability scanning. If there is a known high or medium level vulnerability with an associated patch, then it is applied. (Unless it is a business critical application and nobody wants to take the blame for something going wrong)

It helps that there are corporate policies in place which outline that patch management must be performed on a regular basis, it's up to the individual areas to figure it out for themselves.

In my opinion this really depends on the environment you are working in, the type of business you conduct and the methods used.If you can share some more information, perhaps in a generic way, you can get some more targeted responses.

Ultimately its going to come down to the risk appetite of the business, how the organisation is structured, segmentation of the infrastructure, testing capabilities and budget.

Patch management is still something that so many organisations fail to do well, but at the same time it can be very simple.

Thank you everyone for the replies. I agree that patch management depends on the policies of the organization. I thought it was a good question to ask the community since it is such an important procedure for an organization with a security conscience. I know companies have different ways and applications of accomplishing it. I have seen SMS, shavlik, WSUS, Altiris, BigFix, etc. I was wondering if anyone was partial to one of them and why?

Also, I have seen people argue how often it should be done due to the testing required to install patches. Personally, I think once testing is done, you can install all tested patches. You never know if a low priority patch can be used for a higher vulnerability.

That is why I just wanted to see how other security minded people handled the task. Also, I think VMware is perfect for patch management because of snapshot. It is faster than using Ghost or Clonezilla.

Personally I think WSUS is a good solution if your a Windows shop, however what ever works for the organisation is a good way to proceed.I agree a VM environment can provide an excellent platform for multiple testing, rollbacks, etc a breeze, however I have seen on the odd occasion hardware issues with patching, so there is sometimes value in hardware based testing, especially if you have adopted standard hardware and this isnt a huge amount of devices.

Security Patching is important, however many organisations still do not treat it with the attention it deserves. Keeps us in a job though